Monday, April 19, 2010

According to the Verizon Business 2009 Data Breach Investigations Report, more records were breached in 2008 than in the past four years combined, thanks to organized criminal groups responsible for most of the 285 million records compromised last year.

Verizon Business' report, which was based on data from 90 confirmed corporate network breaches it recorded last year, found that 93% of the total records compromised were related to the financial industry. Eighty percent of the cases were payment card breaches, while payment card data represented 98% of all records compromised in 2008. Verizon Business said personal identification number data is now a top target for cyber thieves who use it to gain access to victims' money through ATM withdrawals.

Attacks on financial firms' networks have become more sophisticated and successful, resulting in a spike in breaches, Verizon said. While only 17% of the attacks studied by Verizon constituted "highly sophisticated" data breaches, these attacks were responsible for 95% of all records breached.

Unfortunately, the report found that three-fourths of organizations that suffered payment card breaches were not compliant with the Payment Card Industry Data Security Standard or had never been audited. The typical organization had met less than one-third of the standard's requirements, Verizon said.

Of the total breaches, the report found:

* 75% came from external sources; 39% involved multiple parties; 32% involved business partners; and 20% came from inside attacks.

* Three-fourths of the breaches were undiscovered and uncontained for weeks or months.

* 64% of breaches resulted from malicious hacking; 38% used malware; 22% involved privileged misuse; and 9% used physical attacks, such as equipment theft or tampering.

* In about 40% of hacking-related breaches, an attacker gained unauthorized access to the victim via remote access and management software typically used by third-parties for remote administration.

In 2008, Verizon found malicious software, or malware, was involved in more than one-third of the cases investigated, and it contributed to 9 out of 10 of all records breached.

Verizon said most of the attacks were preventable and avoidable if businesses had followed security basics, such as changing user names and passwords on a regular basis; avoiding shared user names and passwords; conducting regular reviews to ensure all open user accounts are valid and properly configured; testing regularly to ensure applications are not vulnerable to SQL injection attacks; following a comprehensive patching policy; and ensuring human resources departments terminate account access for workers who leave the company.